The United States has been infiltrating Russian infrastructure for years, The New York Times reported on Saturday, describing an effort of “digital incursions into Russia’s electric power grid” that have intensified since 2018.
Those cyber invasions, the Times reports, have taken both the form of “reconnaissance probes” as well as more destructive code that’s “potentially crippling.”
While it’s unclear precisely what kind of cyber “incursions” the US has actually been carrying out—if any at all—the concept of a cyber attack disabling infrastructure in another country is not a hypothetical one. In fact, it has already happened in the Ukraine twice: in 2015 and 2016. Experts assessed that Russia perpetrated those attacks.
Hit the lights
That 2015 electrical disruption is what Robert M. Lee, the CEO of industrial cybersecurity firm Dragos, refers to as “the first-ever cyber attack to take down power.” The first attack took out substations and cut the power for around 225,000 customers, Lee says; the second attack affected a transmission site and caused an outage in Kiev.
A country bent on harming another nation through cyber warfare likely can’t trigger something apocalyptic, but can do serious harm. “I often tell people the threat is worse than they realize, but not as bad as they want to imagine,” Lee says. In other words, one nation probably can’t catalyze a meltdown at a nuclear power plant. But shutting off the electricity, or disrupting railroad systems, or oil and gas infrastructure, could dearly cost an adversary economically. It could even kill people, if vaccine production or a hospital were affected, for example. “It’s without a question that they could cause significant impact to human life,” Lee says.
If one nation-state wanted to aggressively target another through cyber warfare, Lee says that in addition to the damage to the adversary’s economy and loss of life, the perpetrating country would make mistakes as they tried to figure out what they were actually doing. They’d be encountering unfamiliar systems or equipment.
So what’s the US actually doing? Like with nuclear deterrence, there is a difference between having a weapon and deploying the weapon—and just having it can be enough. “I do not think that the United States government is actually implanting foreign infrastructure,” Lee says.
Instead, militaries in general want the capability to achieve parity with its opponents, or be able to do what its enemies can do, and the US is likely no exception.
When trying to gain access to an industrial system, Lee says, the most likely method is through infecting the software that these specific systems run on—for example, an offsite expert might use a virtual private network to update a plant’s software from afar, but hackers could hijack that person’s legitimate connection. The goal is to implant code into a software update a plant receives. “Sometimes it’s as simple as weak passwords on a connection,” he adds.
Multiple ways in
According to other experts, another method to infiltrate an adversary’s system is the same approach that the IT person at your office warned you about: phishing.
Phishing, for example, is when you receive an email asking you to do something mundane like change your password by clicking on a link. Or, it can be a malware-infected document you are enticed into downloading. The vast majority of cyber attacks start with a phishing attempt, says one former Department of Defense analyst; that same rule applies with cyber warfare involving nation-state against nation-state, this person says.
It’s a common way in the door: getting a victim to click a link, or download a file, or otherwise run code on their machine inadvertently, such as by clicking on an ad on a website. The more important question a hacker trying to carry out an attack like this first must consider, this analyst says, is what the goal is: it might be more subtle than simply trying to turn off the lights. Perhaps the objective is to just change the utility bills the country’s citizens receive.
The first step is to identify the organization you want to disrupt, and the people who work there. Hackers are “going to them send phishing emails, and get those people to click on links, and download files, so they can gain access to their computers,” the expert says. “From there, they’re going to have malware, or specialized code, which will achieve the effect.”
Then, a hacker will use that entry point to explore the connected computers in the network and ultimately attempt to achieve their goal. “It’s really painstaking and laborious work,” this person says. “You have to go from that one person that you phished into the right part of the network.”
Isaac Porche, a senior engineer with the RAND corporation, agrees that phishing—sometimes referred to as spearfishing if the attack is more targeted—is an easy way for one entity to broach another’s systems. “You look at all types of cyberattacks, all over the world, and spearfishing works really well most of the time,” Porche says. “So why bother with something more sophisticated when you can probably get someone to click on a link and then download malware?”